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Course Training Documents 


QSC 2021 Configuration Assessment & Response Lab Supplement 
QSC 2021 Configuration Assessment & Response Slides 


You can download both documents from: 


https://bit.ly/qsc2lcompliance 
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Play Lab Tutorials 


http://ior.ad/7bze 
PLAY 4 http://ior.ad/7bZE 


Click to 
open Lab 
Tutorial. 


Navigate to the following URL to view the “Configure Agents for VMDR” tutoria 


Maximize 


Screen 


© Tyit A D 


© 


15 steps / 3 mins 


Configure Agents for 
VMDR 


Click Start 
Button 


Nov 2020 by Qualys 


Agenda 


Qualys Sensor Overview 
Assets and User Accounts 
Policy Compliance Overview 
Qualys Control Library 

User Defined Controls 
Compliance Scanning 
Policies 

Policy & Mandate Reports 
Remediation Response 
Qualys Unified Compliance 
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Qualys Sensors 
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Qualys Sensor Platform 


Remote Scanners 
(Internet facing) 


. 


Cloud Agents as . [| N Local Scanners 


(servers, endpoints, ° 
mobile devices) nu, e NI 
e e e 
. e 
© e 
Cloud A aa AH TO Passive 
Connectors Scanners 
e e 
e e 
e e e 
. é . 
SaaS id Out-of-Band 
Connectors al: ki as Sensors 


NA 


Container Sensors 


x APIs (collect data from 3rd parties) 
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Policy Compliance Assets 
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Add Scannable Hosts 


Add IPs to Subscription Launch Help 
tt General Information Subscription IPs 
e Add bl 
S ca n n a e Enter IPs and ranges in the field below. See the Help for proper formatting. 
Subscription IPs > 
. Network: 

h O sts to P O | | C You can choose any network. New IPs will be available to all networks, regardless of your selection. Custom 
Host Attributes host attributes will be applied only to the selected network. 

( O mMm p | | a n ce ( P ( ) v It is your responsibility to verify that you have permission to scan all IPs submitted. 

IPs: * 


64.41.200.243-64.41.200.251 


e Alternatively, add 
r RS Pe NOA Wg SES 92.168.0.92, fe80::250:56ff:fe90:aaa0, fe80::250:56ff:fe90:aaa1) 
hosts to Security 


Add To: 


Co nfi g u rati O n 7 | vm | Vulnerability Management Policy Compliance 
Assessment 


ES Security Configuration Assessment | |] | CERT CertView 
(SCA). 


cone | GE 
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Add Agent Hosts 


Install agent hosts with 
an Activation Key that 
has Policy Compliance 
(PC) or Security 
Configuration 
Assessment (SCA) 
enabled. 


Alternatively, you can 
activate the PC or SCA 
module after Cloud 
Agent has been installed. 


New Activation Key Tum help tips: On | Off x 


Create a new activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time. 


Title Compliance Lab Activation Key 
Select | Create 


|| Compliance Lab 


Provision Key for these applications 


Asset Inventory Patch Management 
Activations managed by Al 25 Activations Remaining 
Vulnerability Management Policy Compliance 

VM ty g PC y p 
15 Activations Remaining 15 Activations Remaining 


Secure Config Assessment 


SCA 15 Activations Remainin g 


Unlimited Key | Generate 
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Lab 1 : Policy Compliance Assets 


Please consult pages 3 to 5 in the lab tutorial 


supplement for details. 


PLAY 4 Tutorial begins on page 3 o min. 
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Address Management 


m— 
mm (eens) (mme) C 


Actions (0) wv 


Network : Global D 


| New w | | Search | | Filters w 


IP Tracked Addresses 
DNS Tracked Addresses 
NetBIOS Tracked Addresses 


| Info Track 


Export All 


Download... 


“Host Assets” tab is 
replaced by the 
“Address Management” 
tab, when Asset Group 
Management Service 
(AGMS) is enabled. 


AGMS improves overall 
performance in asset 
management and 
Asset Group 
functionality. 
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User Accounts 
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User Privilege Hierarchy 


Standard User Roles 


Most privileged 


Subcription Management 
Business Unit Management 


Scanner | z 
[Scanner | Compliance Scans Search the online help for 
Network Discovery Maps “User Roles Comparison” 


for a complete list. 
Compliance Reporting 


Least privileged 
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Auditor User Role 


e Has oversight responsibility for the compliance process and is responsible for 
approving exceptions 


e Can create policies, controls and reports 


e Cannot run Compliance scans or join a Business Unit 


e Qualys Security Configuration Assessment (SCA) does not support the Auditor” role 
and exception reporting. 


[z=] Users 


Users 


Business Units 


New w 


Search | | Filters w 


Name 


J Bill Lumbergh * 


Bob Slydell 


~) Michael Bolton 


| Milton Waddams 


a Role 


Business Unit 


Unit Manager Initech 


Auditor 
Scanner 


Scanner 


Unassigned 
Initech 


Initech 


Distribution Groups 


VIP Phone Status 


CN 2223334444 Active 
LE (555) 867-5309 Active 
CD 2223334444 


2223334444 


Active 


Active 


Activity Log Setup 


1-10 of 10 Æ v 


Last Login Modified 


02/22/2015 02/22/2015 
<=: 09/25/2015 
02/22/2015 02/22/2015 


04/29/2014 09/09/2014 
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Add Users to Policy Compliance 


Edit User 


General Information 
Locale 


User Role 


Asset Groups 


Permissions > 


Options 
Account Activity 
Security 


User Status 


Cancel 


Launch Help x 


Extended Permissions 


Allow this user to perform the following actions: 
Manage VM module 

C) Create/edit virtual hosts 
Create option profiles 


[C Purge host information/higtory 
Manage PC module 
C) Manage web applicatio 


Create web applications 


By default, Managers 
and Auditors have 
access to PC. 


Unit Managers, 
Scanners, and 
Readers must be 
granted “extended” 
permissions to access 
PC. 
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User Administration Tool 


© Qualys. cloud Platform 


Administration {v 


Users Action Log 


[7] User Management User Management 


Search for roles by entering properties... 


Actions (1) v New Role 


[ | Name 
I] PCISCA User E PCISCA User 
PS User PS User 


QGS Manager QGS Manager User 


Administration 


Control user access permissions and activity in your 
subscription. 


Role Management Defaults 


Access method(s) 


QUESTIONNAIRE MANAGER QUESTIONNAIRE Manager 


Policy Compliance Overview 
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Benefits of System Hardening 


Vv 


Foundation of Proactive Compliance 
Cybersecurity Protection 


Perform vulnerability and configuration assessments on assets, especially newly 
provisioned assets (before they are moved into their production roles). 
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Qualys Policy Compliance 


Policy Compliance 


Automates the assessment of thousands of technical security controls. 


Documents evidence where your organization has discovered and fixed 
misconfigurations and lapses. 


Provides proof of compliance across multiple compliance standards, regulations, 
benchmarks, frameworks and mandates. 


Helps to configure and secure host systems, to guard against known threats. 
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Compliance Hierarchy - a “Top — Down” Approach 


Regulations SOX CobiT ee 
Framework Level Frameworks crise ore NERC 
Policies & A High-level description of your organization’s goals and 
Business objectives for addressing security requirements within 
Requirements applicable regulations and frameworks. 
Standards, Specific and recommended steps for meeting objectives 
Procedures & within your security policies (including specific software 


Guidelines and technology reguirements). 


Baseline (minimum) requirements and configuration 
Controls settings for securing and assessing OS and application 


technologies. 
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Detailed Technical 


Qualys Control Library 
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Path To Compliance 


Qualys Control 
Library (CIDs) 


Scan Results Policy 
(ACTUAL) (EXPECTED) 


ei) ; 
Policy Report | «— | Exceptions 


(PASS/FAIL) 


1 


Data points are defined 
within each CID in the 
Control Library. 


Compliance scan collects 
ACTUAL “data points” from 
target hosts. 


Qualys Policy specifies the 
EXPECTED values for all 
host “data points” 


Policy Report compares 
actual to expected values, 
producing PASS/FAIL 
status 


Interactive Reports are 
used to request exceptions 
for FAILED controls 
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Control Library 


‘= Policies Policies Mandates Setup 


C] 2234 
2235 
2236 
2237 


2238 


C] 2240 


D 2241 


2261 


CID = 


| New w | Search 
Statement 
Status of the 'MaxAuthTries' setting in the 'sshd_config' file 
Status of the 'MaxAuthTriesLog' setting in the ‘/etc/ssh/sshd_config' file 
Status of the 'IgnoreRhosts' setting in the '/etc/ssh/sshd_config' file 
Status of the 'RhostsAuthentication' setting in 'sshd_config' 


Status of the 'RhostsRSAAuthentication' setting in 'sshd_config' 


2239 Status of the 'PermitRootLogin' setting in the 'sshd_config' file = 


Status of the 'PermitEmptyPasswords' setting in the ‘sshd_config' file 
Status of the 'Banner' setting in the 'sshd_config' file 


Permissions set for the ‘/etc/login.defs' file 


| 4 | 1001 - 1600 of 15415 | >| tv 


Created 


10/13/2008 


10/13/2008 


10/13/2008 


10/13/2008 


10/13/2008 


10/13/2008 


10/13/2008 


10/13/2008 


10/29/ 


Modified 


01/04/2021 


04/23/2019 


01/04/2021 


06/02/2019 


06/04/2020 


02/09/2021 


01/04/2021 


11/08/2020 


02/09/2021 


Criticality 


LLLLLLLE 


Locate thousands of baseline configuration settings and controls in the Qualys 
Control Library. 
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SCAP 
Support 


e Import policies from the 


Qualys SCAP policy library. 


< Upload your own custom 
SCAP policies. 


e Perform SCAP scans to 
check compliance against 
SCAP 1.0, 1.1, and 1.2. 
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SCAP Policy Library 


SCAP Policies 


Browse the following list of SCAP Polices to quickly import and start 
scanning. 


USGCB: Guidance for Securing Microsoft Windows Vista Firewall v.v1.2.3.1 


This guide has been created to assist IT professionals, in effectively securing systems with Microsoft Vista 
Firewall 


Benchmark: xccdf_gov.nist_benchma &GCB-Windows-Vista-firewall 
SCAP Version: 1.2 
Technology: Windows Vista 


Published Date: May 02, 2013 
Policy Status Date: February 24, 2012 
Added: May 02, 2013 


USGCB: Guidance for Securing Microsoft Windows Vista energy settings 
v.v1.2.3.1 


This guide has been created to assist IT professionals, in effectively 


configuring energy conserving settings on systems with Microsoft Windows Vista 


Benchmark: xccdf_gov.nist_benchmark_USGCB-Windows-Vista-Energy 
SCAP Version: 1.2 
Technology: Windows Vista 


Dishlichad Mat, Alau NAO 9742 


Control Types 


e Controls are the building blocks of all policies 
e Each control has a unique Control ID (CID) 


Types of Controls: 


System Defined Control (SDC) - These are controls provided by Qualys. 


a User Defined Control (UDC) - These are custom controls that users create. 
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User Defined Controls 
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User Defined Controls 


= User Defined Controls (UDCs) allow you to perform custom compliance 
assessments of your unique systems and network environments. 


= UDC control types are available for Windows, Unix/Linux, and Database 
technologies. 


= Successful UDC creation requires: 1) an understanding of compliance and 
regulatory requirements and 2) technical systems and network configuration 
knowledge. 


= Managers and Auditors can add UDCs to the subscription. You may also extend 
this privilege to Unit Managers. 


"= UDCs (and the Control Library) are exclusive to the Policy Compliance (PC) 
application and are not available in Security Configuration Assessment (SCA). 
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UDC Components 


= Statement or Title - Name that appears in the Control Library. 

= Category — Group controls of the same type. 

=  Criticality — (1) Minimal, (2) Medium, (3) Serious, (4) Critical, (5) Urgent 
= Comments — Include text to quickly find your UDCs. 

= Reporting Options — Specify if/when to ignore errors. 


"= Scan Parameters - Targeted datapoint or configuration setting (this is 
what is collected during a scan). 


= Default Value - Evaluation expression and expected value for each control 
technology (this determines PASS/FAIL results). 
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Scan Parameters 


Scan Parameters* 


The scan parameters, or data point, indicate what location, file, or setting for the scan to check. 


Registry Hive HKEY_LOCAL MACHINE (HKLM) 


Registry Key SYSTEM\CurrentControlSet\Services\TermService 


NAME Start 


Data Type: Integer 


Description: * Return the start-up value for Terminal Service (RDP). 


= The Scan Parameters specify the datapoint this control is targeting (File path, 


Directory path, Registry key, Registry value, Group name, Share user, Path user, 
Query etc...). 


= Data Type (Return value of control: Boolean, Integer, String, String List, Line List). 
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Default Value 


Default Values for Control Technologies 


Default values are automatically assigned when you click the check box for a technology. 


Rationale: * Ensure Remote Access is Disabled. 


Operator: * equal to wi [|] Lock Operator 


Default Value: 4 [_] Lock Value 


2 = Automatic, 3 = Manual, 4 = Disabled 


= Rationale (Explain the reasoning or logic for the assessment) 
= Default Value (Expected value of the collected datapoint) 
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Unix Control Types 


© File/Directory Existence 
This control type checks for the existence of a user-specified file or directory. 


© File/Directory Permission 
This control type checks permissions that are set on a user-specified file or directory. 


© File Content Check 
This control type checks the contents of a user-specified file. 


© File Integrity Check 
This control type checks the integrity a user-specified file. 


© Unix Directory Search Check 


This control type finds files and directories that match your search parameters (i.e. name, permissions, owner, etc). 


© Directory Integrity Check 


This control type checks the integrity of Unix files at the directory level and reports hash based file integrity and 
snapshot updates. 


© File Content Check (Agent Only) 
This control type checks the contents of a user-specified file (wildcard file search). 


© Qualys. 


Lab 2: File Content Check UDC 
Lab 3: File Integrity Check UDC 


Please consult pages 6 to 8 in the lab tutorial 


supplement for details. 


PLAY 4 File Content Check UDC, page 6 
PLAY 4 File Integrity Check UDC, page 7 


10 min. 
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Windows Control Types 


© Registry Key Existence 
This control type checks for the existence of a user-specified Windows registry key. 


© Registry Value Existence 


This control type checks for the existence of a user-specified Windows registry key value. 


© Registry Value Content Check 
This control type checks the content of a Windows registry key value. 


© Registry Permission 
This control type checks permissions that are set on a Windows registry key. 


© File Content Check (Agent Only) 
This control type checks the contents of a user-specified file. 


© File/ Directory Existence 
This control type checks for the existence of a user-specified file or directory. 


© File/ Directory Permission 
This control type checks permissions that are set on a user-specified file or directory. 


© File Integrity Check 
This control type checks the integrity of a user-specified file. 


© Group Membership Check 
This control type lists members of a local group. 


© WMI Query Check 
This control type executes the WMI(Windows Management Instrumentation) query. 


© Share Access Check 
This control type checks for the share permissions and the directory permissions. 


© Windows Directory Search Check 
This control type finds Windows files and directories that match your search parameters 


© Directory Integrity Check 


This control type checks the integrity of Windows files at the directory level and reports 
updates. 
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Lab 4: File Content Check UDC 
Lab 5: File Integrity Check UDC 


Please consult pages 9 to 10 in the lab tutorial 


supplement for details. 


PLAY 4 File Content Check UDC, page 9 
PLAY 4 File Integrity Check UDC, page 10 


10 min. 
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Database Control Types 


© MS SQL Database Check 
This control type executes the SQL statements on MS SQL databases. 


© Oracle Database Check 
This control type executes the SQL statements on Oracle databases. 


© Sybase Database Check 
This control type executes the SQL statements on Sybase databases. 


© PostgreSQL/Pivotal Greenplum Database Check 


This control type executes the SQL statements on PostgreSQL/Pivotal Greenplum databases. 


© SAP IQ Database Check 
This control type executes the SQL statements on SAP IQ databases. 


© IBM DB2 Database Check 
This control type executes the SQL statements on DB2 databases. 
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regex101.com 


@regex101 $ donate contact bug reports & feedback ii wiki 


SAVE & SHARE REGULAR EXPRESSION 
no match, 20 steps (~Oms) EXPLANATION 


Save Regex : / RPermitRootLoginNS#noWsES gm |e v / BPermitRootLoginNSÆnoNsÆS / gm 
= A asserts position at start of a line @ 
FLAVOR TEST STRING SWITCH TO UNIT TESTS > PermitRootLogin matches the characters PermitRootLogin 


BT ecru v pr ere 
S PORE(PHP) Ÿ Ji #PermitRootLogin no v NSH matches any whitespace character (equal to ENENANENFNUN 


<> ECMAScript JavaScript) PermitRootLogin yes D 

<p Python Ë Quantifier — Matches between zero and unlimited times, 
as many times as possible, giving back as needed (greedy) 

# <> Golang no matches the characters AG literally (case sensitive) 

~ EH matches anv whitesnace character (ential tn PRPXANEN EN 


TOOLS 
” 


B Code Generator MATCH INFORMATION 


Your regular expression does not match the subject string. 


wt Regex Debugger 


QUICK REFERENCE 


mw common lokens R 
Capture everything enclosed 


G | Token 
ara a Match either a or b 


Anchors 
Match everything enclosed 


Meta Sequences 3 i 
Atomic group (non-capturing) (?>... 


SPONSOR uantifiers 
ES i Duplicate subpattern group... (?l... 
Hotjar Group Constructs v 


Comment C?#... 


See how your visitors are really j 2 Character ses 
using your website. SUBSTITUTION Mamad Canturing Crn 02 *mamat 


e Qualys applications user Perl Compatible Regular Expressions (PCRE). 
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Compliance Scanning 
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Path To Compliance 


Qualys Control 
Library (CIDs) 


Scan Results Policy 
(ACTUAL) (EXPECTED) 


ei) ; 
Policy Report | «— | Exceptions 


(PASS/FAIL) 


1 


Data points are defined 
within each CID in the 
Control Library. 


Compliance scan collects 
ACTUAL “data points” from 
target hosts. 


Qualys Policy specifies the 
EXPECTED values for all 
host “data points” 


Policy Report compares 
actual to expected values, 
producing PASS/FAIL 
status 


Interactive Reports are 
used to request exceptions 
for FAILED controls 


© Qualys. 


Policy Compliance and SCA Sensors 


` A 
N 


Oe 


eo 
N oo a / 


| Qualys Cloud Platform aa 


e Deploy Qualys Scanners and Agents, to collect compliance data points. 


Qualys Cloud Agent 
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Cloud Agent Overview 


= Qualys Cloud Agent installs as a local SYSTEM service. 


= Qualys Cloud Agent serves as a “data collector” -- collected data 
and metadata is sent to the Qualys Cloud Platform for testing. 


= Most data transmissions from the agent to the Qualys Cloud 
Platform, focus on host changes (deltas) and do not include data 
already sent. 


= Network filtering devices have less impact on agent data 
transmissions (i.e., outbound tcp/443). 


= Qualys Cloud Agent provides the “response” functionality for 
many Qualys applications. 
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Agent OS Support 


Windows 
.exe (x86_64) 


© 


Linux 
.deb (ARM64) 


Ds 


sotaris 


Solaris 
.pkg (x86_64) 


à 


Linux 
.rpm (x64) 


LA 


Mac 
.pkg (x64) 


pl 


+ Y 
solaris 


Solaris 
.pkg (SPARC) 


à 


Linux 
.rpm (ARM64) 


© 


AIX 


.bff .gz (Power5) 


à 


Linux PPC 64 LE 


.rpm (ppc64le) 


© 


Linux 


.deb (x64) 


© 
BSD 


.txz (x64) 


& 


Core OS 


tar.xz (x64) 


Qualys Cloud Agent supports multiple operating systems. 
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SCA Scan Interval 


e At each interval agents Configuration Profile Edit 
p e rfo rm ass | g n ed ta S ks a n d Edit Mode Configure Scan Interval for Secure Config Assessment 
collect host metadata (as | | 
> 3 General Info Configure the interval at which the agent collects data for Secure Config Assessment for the 
S pe Ci f ie d in th e S C A IEEE assets associated with this profile. 
man ife st : Data Collection Interval* 240 min (240 - 43200) 


Performance | Tee lapse between the completion of the previous scan and the start of the 


- The data transfer and post- | “""" 
transfer processing steps Re 
are a part of each interval. ee 


PC Scan Interval 


< The countdown to the very 
next interval will begin as FIM 
soon as the data transfer EDR 
and post-transfer 
processing steps have 
been completed. 
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PC Scan Interval 


Configuration Profile Edit 


Edit Mode 
General Info 
Blackout Windows 
Performance 
Assign Hosts 
Agent Scan Merge 


VM Scan Interval 


PC Scan Interval 


SCA Scan Interval 


Turn help tips: On | Off x 
A 3 e 
Configure Scan Interval for Policy Compliance 


Configure the interval at which the agent collects data for Policy Compliance for the assets 
associated with this profile. 


Data Collection Interval* 240 min (240 - 43200) B 
The time lapse between the completion of the previous scan and the start of the 


Scan Delay* min (0 - 720) 


The time added to the start of scanning, both for new installs and for interval e 
scanning. Value of 0 (zero) means no delay added. 


Scan Randomize* 


0 min (0 - 720) 
The range of randomization added to Scan Delay to offset scanning. For example, 
if the randomization range is 60 mins, then a random number between 1 and 60 is 
calculated and used to delay the start of the next scanning interval. Value of 0 
(zero) means no randomization will occur. 


Scan Delay and Scan Randomize are supported for Windows Cloud Agent 4.4 and greater 


Data Collection 
Interval specifies the 
frequency in which 
agents perform 
compliance scans for 
the Policy Compliance 
(PC) application. 


Scan Delay and Scan 
Randomize settings 
help to prevent large 
groups of agents from 
transmitting their data 
payloads all at once. 
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On-Demand Scan 


Manually perform PC, SCA, and UDC scans on 
Windows and Linux agent hosts. 


Application module must be activated and its associated 
manifest must be downloaded, prior to performing an 
“on-demand” scan. 


A successful “on-demand” scan will reset the countdown 
to the next scan interval. 
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Activate Middleware Assessment 


Dashboard Policies Scans Reports Exceptions | Middleware Assessment 


RC ETC I Middeware À Enable/Disable middleware assessment of PC or SCA 


| agents. 
hr» | (semm | 


Activate Middleware Assessment 


stname . 
Deactivate Middleware Assessment ” | | Middleware Assessment Setup 
1016dfw210 
Clear Selections | 
192.168.1.210 ws2016dfw210 


Enable Middleware assessment on agents activated for config assessment as soon as the 
middleware technologies are detected on your assets. 


7) x 
192.168.1.210 @ Enable Middleware Assessment by default 


ws2016dfw210 


192.168.1.220 


192.168.1.220 


= Add Middleware manifest to PC/SCA agents, as soon as middleware technologies 
are detected. 
= Enable for all PC/SCA agents from: Assets > Setup > Middleware Assessment. 
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Middleware Technology Found 


Dashboard Policies 


‘= Assets Asset Groups 


New w | | Search 


192.168.1.233 


192.168.1.233 


192.168.1.233 


192.168.1.242 


192.168.1.242 


192.168.1.242 


172.31.28.174 


= Agent supported Middleware technology instances are automatically discovered, even if 


Scans Reports Exceptions Assets Users 


Host Assets Middleware Assets Asset Search Setup 


Hostname os 

ws2012dfw233 Windows Server 2012 R2 Standard 64 bit Edition 

ws2012dfw233 Windows Server 2012 R2 Standard 64 bit Edition 

ws2012dfw233 Windows Server 2012 R2 Standard 64 bit Edition 

ws2016dfw242 Windows Server 2016 Standard 64 bit Edition Versiot 
1607 

ws2016dfw242 Windows Server 2016 Standard 64 bit Edition Versio! 
1607 

ws2016dfw242 Windows Server 2016 Standard 64 bit Edition Versiot 
1607 

ec2amaz-jtin3v2 Windows Server 2019 Datacenter 64 bit Edition 


Version 1809 Build 17763 


they're located in non-default directories or folders. 


= Data is retrieved from HKU registry hive, to detect application instances (such as Chrome 


or Firefox) belonging to multiple user profiles. 


Middleware Technology 
CHROME 

1 Instance Found 
IEXPLORER 

1 Instance Found 
NS 

1 Instance Found 
CHROME 

1 Instance Found 
IEXPLORER 

1 Instance Found 


NS 


1 Instance Found 


FIREFOK 


1 Instance Found 


Status 


Successful Activation 


Successful Activation 


Successful Activation 


Pending Activation 


Pending Activation 


Pending Activation 


Successful Activation 
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Compliance Data Collection Intervals 


Inventory Collects asset inventory such as hardware, Daily Intervals 
software, active services, etc... 


PolicyCompliance Collects System Defined Control (SDC) User-Defined Intervals (240 
datapoints defined in the PC Control Library. - 43200 min.) 

SCA Collects compliance datapoints defined in CIS User-Defined Intervals (240 
Policy Controls. - 43200 min.) 

UDC Collects User Defined Control (UDC) Four-hour intervals 


datapoints defined in the PC Control Library. 


AutoDiscovery Automatically discovers host middleware Four-hour intervals 
technologies. 


MiddlewarePC Collects compliance datapoints for host Four-hour intervals 
middleware assessments. 
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Qualys Scanner Appliance 
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Scan Components 


Scan 
(On-Demand or Scheduled) 


Scanner 


appliance ESSN 


Compliance Profile 


Scan Preferences 


Authentication 
(required) 


IP addresses 
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Compliance Profile 
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Compliance Profile 


© Qualys. Clouc 


Policy Compliance v 


Dashboard Policies Scans Reports Exceptions Assets Users 


Scans | PC Scans Schedules Appliances Option Profiles 


New w Search | | Filters w 


% Type Title 


| 


4) Compliance Compliance Lab Options 


4) Compliance Dissolvable Agent Enabled 
4) Compliance Dissolvable Agent Not Enabled 
| ) Compliance Initial PC Options 


Compliance Password Audit Test 


DEN OR UWI 


4) Compliance Scan by Policy - PCSBP 


Compliance Profiles 
contain your 
scanning options 
and preferences. 


Every scan must 
select a Compliance 
Profile. 


Compliance Profiles 
are created and 
edited under the 
“Option Profiles” tab. 
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Lab 6 : Compliance Profile 


Please consult pages 11 to 15 in the lab tutorial 


supplement for details. 


PLAY 4 Tutorial begins on page 13. o min. 
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Performance 


Configure Scan Performance Settings Turn help tips: On | Off 


Settings 


Select a performance level or customize performance settings for network analysis. 
Enable parallel scaling for Scanner Appliances 


High 
Overall Performance v Normal 
Low 


Custom 


Hosts to Scan in Parallel 


External Scanners 154 


Scanner Appliances 30 + 
Processes to Run in Parallel (per Host) 


Total Processes 10+ 


HTTP Processes 10+ 
Packet Delay 
Packet (Burst) Delay Medium #% 
Port Scanning and Host Discovery 


Intensity Normal 


High — Optimized for networks with 
abundant bandwidth. 


Normal - Recommended as best 
practice. Well balanced between 
bandwidth usage and performance. 


Low - Optimized for low bandwidth 
network connections. 
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Scan Restriction - Scan by Policy 


Scan restriction 
Ww#) Scan by Policy 
Restrict scans to controls in selected policies. You can choose up to 20 policies to scan. By default Qualys scans for all 


applicable controls. 


NIST 800-53 Rev 4 for Linux v.3. |" 


You can choose one policy at a time. 


v If you add controls to the policies below, please be sure you scan them again. 


j : Actions 
CIS Benchmark for CentOS Linux 6, v2.1.0 [Scored, Level 1 and Level 2] v.4.0 © 
NIST 800-53 Rev 4 for Linux v.3.0 © 


e Restrict scans to only those controls contained in the policy(s) you specify. 

e Reduce overall scan time (complete scans are typically longer). 

e “Scan by Policy” is required by Qualys Security Configuration Assessment 
(SCA). 
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Set Limits On Database Control Types 


Database Control Types 


These settings apply to user-defined database controls. By default, we'll return up to 5000 rows for Oracle and up to 256 rows z Set a | l m it O n the n u m be r of rows 
for all other control types. Select the control type to edit the limit. to be retu rned pe r sca n fo r: 


MS SQL Database Check 


Set a limit on the number of rows to be returned per scan for custom MS SQL Database checks (default is 256). M S S Q L D t b 
e 
atapase 
Max rows to retum: | 256 ( | h k 


Oracle Database Check 


Set a limit on the number of rows to be returned per scan for custom Oracle checks (default is 5000). 


e Oracle Database 
jax rows to return: 5000 Checks 


Sybase Database Check 


Set a limit on the number of rows to be returned per scan for custom Sybase Database checks (default is 256). S b D t b 
e 
ypase Database 
Max rows to retum: | 256 C h e cks 


PostgreSQL/Pivotal Greenplum Database Check 


Set a limit on the number of rows to be returned per scan for custom PostgreSQL/Pivotal Greenplum Database checks e Postg re S S Q L D ata b a se 


(default is 256). 


Max rows to return: | 256 C h e cks 


SAP IQ Database Check 


e SAP IQ Datab 
Set a limit on the number of rows to be returned per scan for custom SAP IQ Database checks (default is 256). a a ase 
Max rows to retum: | 256 C h e cks 


IBM DB2 Database Check e | B M D B2 Data base 


Set a limit on the number of rows to be returned per scan for custom DB2 Database checks (default is 256) 


Max rows to return: | 256 C h e cks 
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Control Types 


Control Types 


Disabling certain control types will improve performance. 


¥ File Integrity Monitoring controls enabled 


¥ Custom WMI Query Checks 


= Select these control types for UDCs that perform file integrity monitoring or WMI 
queries. 


= |f using the “Scan by Policy” option, the need for these control types will be determined 
by the CIDs in the targeted policy(s). 
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Auto Update Expected Value 


Integrity Monitoring 


This setting applies to file and directory integrity checks configured with “Use scan data as expected value”. 


When enabled, we'll update the control expected value used for posture evaluation with the actual value returned by the scan. 


#) Auto Update expected value 


e When enabled, an integrity check controls EXPECTED value will be 
automatically updated with the ACTUAL value returned by the most 
recent scan. 


e Needed when Integrity Check Controls are configured with “Use 
scan data as expected value”. 
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Dissolvable Agent for Windows 


Dissolvable Agent 

The Dissolvable Agent has been accepted for your subscription. You can now select it for this profile, and select scan features 
that require the Agent. 

#) Enable the Dissolvable Agent 

“| Enable Password Auditing 


Custom password dictionary: 0 entries Configure... 


D Enable Windows Share Enumeration Enable these options, if using Share Enumeration 
and Directory Search UDCs for Windows. 


“| Enable Windows Directory Search 


= Some Windows checks require the Dissolvable Agent. 
= Temporary agent ’dissolves” when the task completes. 


= |f using the “Scan by Policy” option, the need for a Dissolvable Agent will be determined by 
the CIDs in the targeted policy(s). 
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Ports 


Ports 
> Standard Scan (about 1900 ports) [2 View list 


+) Targeted Scan (Recommended) 


Because authentication is required, a “Targeted Scan” is effective 
using a smaller list of ports than the “Standard Scan” option and is the 
recommended setting. 
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System Authentication & Instance Discovery 


Compliance Profile Title 

Scan 

System Authentication > 
Instance Data Collection 


Additional 


New Compliance Profile Launch Help 


System Authentication Records 


Allow the system to create authentication records automatically using the scan data discovered for running 
instances. In follow up scans, compliance assessments can be performed using those system created 
records. Learn more about instance discovery and system authentication records 


Create System Authentication Records © 
By choosing this option we'll restrict scans to instance discovery and record creation for the selected 


technology. Unix authentication is required. Compliance assessments will not be performed for any 
technology. 


Allow instance discovery and system record creation 
For the following technology 


Apache Web Server 
IBM WebSphere App Server 
@ IBM WAS Installation Directory 
© IBM WAS Server Directory 
Jboss Server 
Tomcat Server 
Oracle (system record template required) 


Login credentials for system created records are saved in Oracle system record 
templates.Choose the template you want to use from the list below. 


Oracle system record template: Oracle System Record Template NA 


y n / € yn Re || 9 


Run scans to 
automatically discover 
running technology 
instances and create 
their System 
Authentication Records. 


Use the system 
generated records to 
perform compliance 
scans that assess these 
technologies on 
targeted hosts. 
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System Authentication 
Step 1: Create Records 


Create System Authentication Records 

By choosing this option we'll restrict scans to instance discovery and record creation for the selected 
technology. Unix authentication is required. Compliance assessments will not be performed for any 
technology. 


Allow instance discovery and system record creation 
For the following technology 


Apache Web Server 
IBM WebSphere App Server 
© IBM WAS Installation Directory 
© IBM WAS Server Directory 
Jboss Server 
Tomcat Server 
Oracle (system record template required) 


Login credentials for system created records are saved in Oracle system record 
templates.Choose the template you want to use from the list below. 


Oracle system record template: Oracle System Record Template NA 


Scans using this option 
will restrict scans to 
instance discovery and 
System Authentication 
Record creation. 


Unix authentication is 
required for the host. 


Compliance assessments 
will not be performed, 
when using this option. 
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System Authentication Records 


‘= Scans PC Scans Schedules Appliances Option Profiles Setup 


|_| Type Title = IPs 


Owner 
[E] Apache Web Server Apache Web Server [System Created] - 124005 “ss 64.41.200.250 System O 
] Tomcat Server Tomcat Server [System Created] - 124006 ay 64.41.200.250 System oO 
CI Unix Root Delegation via sudo 64.41.200.243-64.41.200.245, 64.41.200.250 trann3zj93 VMDR (Manager) lo] 
Windows SJC Domain Admin trann3zj93 VMDR (Manager) oO 


= System Authentication Records are automatically created for discovered instances. 
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System Authentication Records 
Step 2: Use Records 


Use System Authentication Records 


When selected, compliance assessments will be performed using all active authentication records (system 
and user created). Instance discovery and record creation will not be performed. 


Include system created authentication records in scans 


Only 1 record is used for scanning each instance. If there are 2 records (system and user created) with the 
same instance configuration, tell us which record to use 


@ User created record 
() System created record 


= When selected, compliance assessments will include system created authentication records in 
scans. 


= |f there are two records (system and user created) for the same instance, indicate which 
record to use. 
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Instance Data Collection 


New Compliance Profile 
Compliance Profile Title 
Scan 


System Authentication 


Instance Data Collection > 


Additional 


Launch Help 


Instance Data Collection Using OS Authentication Records 


Select database technologies and applications to enable data collection on them by using 


authentication records created for their underlying host operating systems. 


Databases 

IBM DB2 

Pivotal Greenplum 

InformixDB 

MongoDB 

MS SQL 

MySQL 

Oracle 

PostgreSQL 

Sybase 
Note: If you use individual database authentication records for compliance scans, we 
recommend not to use this option. If you enable it, you get duplicate results in compliance 
reports, one using database authentication records and the other using OS authentication 


records. 


Applications and Other Technologies 
Oracle JRE 
IBM WebSphere Liberty 


Do not use this option, 
if you are already using 
individual database 
application 
authentication records. 


Enable data collection 
on selected database 
technologies and 
applications, using 
host OS authentication 
records. 
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Performance 6) 
Configure performan ons for scanning your network. 


Overall Performance: Normal Configure... 


Scan restriction 
Scan by Policy 
Restrict scans to controls in selected policies. You can choose up to 20 policies to scan. By default Qualys scans for all 


Compliance Profiles in applicable controls. 
Qualys Security 


SCA Scanning 
Options 


Co nfig u ration Assess me nt You can choose one policy at a time. 
(S C A) h ave fo ur b as | C v If you add controls to the policies below, please be sure you scan them again. 
scanning options: Policy Title és 


1. Performance 

2. Scan Restriction 

3. Dissolvable Agent The Dissolvable Agent has been accepted for your subscription. You can now select it for this profile, and select scan features that 
4 


Ports reguire the Agent. 
Enable the Dissolvable Agent 


Dissolvable Agent 


Enable Password Auditing 
Custom password dictionary: 0 entries Configure 


Enable Windows Share Enumeration 
Enable Windows Directory Search 


Ports @ 


© Standard Scan (about 1900 ports) [8 View list 
@ Targeted Scan (Recommended) 


Authentication 
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Authentication is Required 


Compliance scans must be performed in “authenticated” mode. By 
default, Qualys Cloud Agent has SYSTEM level privileges on its 
host. 


If authentication fails for any host, the Qualys Scanner Appliance 
will move to the next target. 


For Windows hosts that do not provide Remote Registry Service, 
perform scans with the Dissolvable Agent enabled. 


While Qualys Cloud Agent (by default) has SYSTEM level access to 
its host, it does not possess application-level credentials (e.g., 
databases, Web servers, middleware applications, etc...) 
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Authentication Vaults 


e In large organizations where thousands of machines are 
scanned regularly managing passwords is a challenge 


+ Some organizations are reluctant to let their credentials 
leave the network 


e Qualys integrates with multiple third-party password 
vaults for secure authentication 


e Each Vault solution has its own set of configuration 
requirements 


© Authentication Vault 


vV CyberArk PIM Suite 


Thycotic Secret Server 
Quest Server 

CA Access Control 
Hitachi ID PAM 
Lieberman ERPM 
CyberArk AIM 
BeyondTrust PBPS 
Wallix AdminBastion (WAB) 
HashiCorp 

Azure Key 

CA PAM 
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Launch Compliance Scan 


Launch Compliance Scan 


General Information 


Give your scan a name, select a scan profile (a default is selected for you with recommended settings), and choose a scanner 


from the Scanner Appliance menu for internal scans, if visible. 


Title: Compliance Scan 


Compliance Profile: Initial PC Options + B View 


Scanner Appliance: External My 


Choose Target Hosts from 


Turn help tips: On | Off Launch Help 


Tell us which hosts (IP addresses) you want to scan. 
© Assets Tags 


Asset Groups AG: San Jose x *h Select 
IPs/Ranges *h Select 


ple: 192.168.0.87-192.168.0.92, 192.168.0.200 


Exclude IPs/Ranges *h Select 


Launch | Cancel | 


= Verify authentication 
records prior to launching 
compliance scans. 


= All scans include: 
1. Scan Title 
2. Compliance Profile 
3. Scanner Appliance 
4. Target Hosts 


= Asset Groups 
=» IP Address Range 
= Asset Tags 


BEST PRACTICE: Schedule 
Scans to run daily, weekly, or 
monthly. 
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Lab 7 : Launch Compliance Scan 


Please consult pages 16 to 17 in the lab tutorial 


supplement for details. 


PLAY 4 Tutorial begins on page 16 o min. 
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Scan Results — Authentication Issues 


If scan results show insufficient privileges, it implies that Qualys scanning account 
was not able to access data needed to perform one or more compliance assessment 
tests. 


© Qualys. Enterprise 


Compliance Scan Results January 03, 2020 
Vikram Kamat Qualys Training 01/03/2020 at 06:45:14 PM (GMT+0530) 
quays2nk66 Plot No 4, Survey Nos 1678 to 1683 
Manager Ganesh Khind Road, Shivajinagar, 
Pune, Maharashtra 411005 
India 


Q Authentication issues found! 


2 hosts returned insufficient privileges for compliance data collection. 


josts with Insufficient Privilege (Showing 2 of 2) 


DNS IP NetBIOS Instance Cause 
demo01.s02.sjc01.qualys.com 64.41.200.231 DEMOO1 os Insufficient privileges 
demo02.s02.sjc01.qualys.com 64.41.200.232  DEMOO2 os Insufficient privileges 
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Scan Results - Auto Discovered Instances 


Auto Discovered Instances 


Oracle instances were not found for these hosts 
64.41.200.243-64.41.200.245, 64.41.200.250 


= mens 
64.41.200.250 à r 
Authentication Records 


Apache Web Server instances were not found for these hosts are ena b | ed i n the 
64.41.200.243-64.41.200.245 : : 

Compliance Profile, Auto 
IBM WebSphere App Server instances were not found for these hosts Discovered Instances 


64.41.200.243-64.41.200.245, 64.41.200.250 


will be included in your 


Tomcat Server (Installation Directory: /usr/share/tomcat6, Instance Directory: /usr/share/tomcat6) scan resu Its . 
64.41.200.250 


Tomcat Server instances were not found for these hosts 
64.41.200.243-64.41.200.249, 64.41.200.251 


Jboss Server instances were not found for these hosts 
64.41.200.243-64.41.200.251 
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Scan Results - Application Technologies Found 


Application technologies found based on OS-level authentication 


Google Chrome was found for these hosts 
Google Chrome (Windows) 
64.41.200.247 


Internet Explorer was found for these hosts 
Internet Explorer 10 

64.41.200.249 
Internet Explorer 11 

64.41.200.248, 64.41.200.251 


Mozilla Firefox was found for these hosts 
Mozilla Firefox (Windows) 
64.41.200.247 
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Policies 
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Path To Compliance 


1. Data points are defined 
within each CID in the 
@ Control Library. 
Qualys Control 2 Boni eed 
Library (CIDs) : ompliance scan colhects 


ACTUAL “data points” from 
target hosts. 


3: Qualys Policy specifies the 


& E EXPECTED values for all 


host “data points” 
Scan Results Policy 
(ACTUAL) (EXPECTED) 4. Policy Report compares 


actual to expected values, 
producing PASS/FAIL status 


Oo 5. Interactive Reports are used 


— ; to request exceptions for 
Policy Report | «— | Exceptions FAILED controls 
(PASS/FAIL) 
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Required Policy Components 


/ POLICY N 
1. All policies must have one or more 
technologies: 


Technologies 

e Operating System 
e Service/Application 

Controls 2. Add SDCs and/or UDCs to a policy, from the 

Control Library or other policies. 
3. Add hosts to a policy to define its scope: 
Target e Asset Groups 
Hosts e Asset Tags 


\ 
N 
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Asset Groups 


= Asset groups allow you to manually group “scannable” assets in your 
account. 


= Asset groups can contain a random collection of “scannable” assets or they 
can be designed around specific characteristics, such as: 


° Device type 


e System priority or criticality 192.168.1.0/24 
e Geographic or network boundaries "E 
° Asset ownership CRITICAL a 


e and more... 


= Asset Groups cannot be nested. 


= A matching Asset Tag is created for each Asset Group. 
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Asset Tags 


Asset Tagging provides a more flexible and scalable way label and organize the 
assets in your subscription. 


Static Tags | Operating System 
= Assigned manually to host assets. 
= Commonly used as the starting point of an Asset Tag 
Hierarchy. [Linux | 
Dynamic Tags Windows 
= Host assignment is determined by Asset Tag Rule 
Engine. 
= Tags dynamically change with updates to host. Windows Client 
Asset Tag Hierarchy | Windows Server | 


= Tags are typically nested, creating various parent/child 
relationships. 


= Targeting a parent tag automatically includes its child 
tags. 


| Compliance Lab 
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Lab 8 : Asset Groups & Tags 


Please consult pages 18 to 19 in the lab tutorial 


supplement for details. 


PLAY 4 Tutorial begins on page 18 o min. 
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Policy Scope 


e Asset Groups and Asset Tags — define the “Scope” of a Policy 


include agent hosts. 


Choose Target Hosts from 
You can select a combination of asset groups and asset tag; 


© Asset Groups = O Tags 


Search asset groups: All asset groups selected 


1 asset group selected 


AG: San Jose 


Hosts with Cloud Agents 
(DO Include all hosts with PC agents 


saneh) 


Edit policy assets. Tell us the hosts you want to analyze for compliance with this policy. Have 
Cloud Agent? You can also include agent hosts. 


Choose Target Hosts from 


You can select a combination of asset groups and asset tags, and we'll evaluate the policy 
against all matching hosts. 


© Asset Groups @ Tags = 


Include hosts that have Any of the tags below. 


{ Windows Server > 
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Policy Creation Options 


Create a New Policy 


Choose a policy source 
How do you want to begin your policy? Select from the options below to start creating your new policy. 


Empty Policy © Existing Host © From Library 


Build a policy from scratch Build a policy from a previously Choose from one of the policies in 
scanned host our library 


e Create New Policy from scratch 

e Create New Policy using existing host 
e Import Policy from Library” 

e Import Policy from XML file 


“Security Configuration Assessment (SCA) only uses “Import Policy from Library.” 


4 XML File 


Upload a policy from your local file 
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Import Policy from Library 


Create a New Policy 


== Policy from Library: Choose from one of the policies in our library. 


Find the policy that best suits your needs. Our Compliance Policy Library contains sevaral sample policies based on popular compliance frameworks, 


including SOX, HIPAA, CoBIT and more. Click on one of the policies below, and then click Next to import it. 


All 

New 
Updated 
CIS 
Mandate 
Qualys 
Vendor 
OCA 

DISA STIG 


SCSEM 


Security Configuration Assessment (SCA) provides over 400 CIS Benchmark "© 
Qualys. 


Technologies 


AIX 6.x 
AIX 7.x 
Amazon Linux 2 AMI 


Amazon Linux AMI 
Apache HTTP Server 2.2.x 
Apache HTTP Server 2.4.x 
Apache Kafka 


Apache Tomcat 6.x 


Apache Tomcat 7.x 


Apache Tomcat 8.x 


Apache Tomcat 9.x 


[] Apple Safari 11.x 


] Apple Safari 12.x 
| ArubaOS 6.x 


Brocade Fabric 7.x 


Policies (426) 


# 


CIS Benchmark for IBM AIX 6.1, v1.1.0 [Scored, Level 1] 
@ Version 6.0 10/29/2019 View Description | View Policy 


CIS Benchmark for IBM AIX 6.1, v1.1.0 [Scored, Level 1 and Level 2] 


@ Version5.0 06/11/2019 View Description | View Policy 


CIS Benchmark for IBM AIX 7.1, v1.1.0 [Scored, Level 1 and Level 2] 


@ Version 8.0 10/29/2019 View Description | View Policy 


CIS Benchmark for Apache Tomcat 6.0 v1.0.0 [Scored and Not Scored, Level 1] 


@ Version 3.0 10/29/2019 View Description | View Policy 


Lab 9 : Import Policy from Library 


Please consult pages 20 to 22 in the lab tutorial 


supplement for details. 


PLAY 4 Tutorial begins on page 21 5 min. 


© Qualys. 


Policy Scope 


include agent hosts. 


Choose Target Hosts from 


You can select a combination of asset groups and asset tag: 


Edit policy assets. Tell us the hosts you want to analyze for compliance with this policy. Have 
Cloud Agent? You can also include agent hosts. 
@ Asset Groups = O Tags 


Choose Target Hosts from 
You can select a combination of asset groups and asset tags, and we'll evaluate the policy 
against all matching hosts. 
Search asset groups: All asset groups selected 


© Asset Groups @ Tags = 
1 asset group selected 
AG: San Jose 


Hosts with Cloud Agents 
Include all hosts with PC agents 


Include hosts that have Any of the tags below. 


{ Windows Server X 


While imported policies already include technologies and controls, you still need to 
provide the Asset Groups or Asset Tags, to define the Policy Scope. 
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XML Export / Import 


e Polices can be exported and then reimported to and from XML files (CSV 
format is only supported for exports). 


Create a New Policy 


f=) Policy from XML File: Import an XML file from your local file system. 


Import an XML file. The XML file may be one that was exported from your account or one that was shared with you. We will perform XML validation checks. If 
validation fails, you'll see an error. Please fix the XML and try again. 


Choose your file Select an XML file for import. REQUIRED 


Choose File | No file chosen 


** The “Policy Compliance Strategies & Best Practices Self-Paced Training Course,” provides 
extra details (including lab tutorials) for exporting and importing policies (qualys.com/learning). 
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Create Empty Policy 


Create a New Policy 


Assign asset groj 
Agent? You can al 


Choose Target Hosts f| 
You can select a combinatiq 


© Asset Groups 


Search asset groups: 


Hosts with Cloud Agel 
Include all hosts with PC 


Policy Editor Turn help tips: On | Off Launch Help 


Controls 


< Back to Overview 


Controls 
|< | >| 1 [Untitled 0 
Add Controls ) Copy Controls ) | Reorder 


Referenc CID Statement Technolo Criticality 


a> You have not added any controls yet. 


O Evaluate now | Save As... ) Save 


= Add technologies, assets, and controls. 


Lab 10 : Create Empty Policy 


Please consult pages 23 to 31 in the lab tutorial 


supplement for details. 


PLAY 4 Tutorial begins on page 23. o min. 
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Add Controls vs. Copy Controls 


| Add Controls | 


= Add controls directly from the Control Library. 
= Added controls will reflect the default values (found in the Control Library) 
= Controls added from the Control Library often require adjustments or tuning. 


| Copy Controls | 


= Copy controls from other policies. 

= Copied controls will reflect the expected values (from the origin policy). 

= Controls copied from existing policies are already tuned for specific frameworks, 
regulations, mandates, standards, or benchmarks. 
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Create Policy From Existing Host 


Create a New Policy 


Policy from Host: Build your policy based on a previously scanned host. 


Select a scanned host. We'll build a policy for you based on the latest compliance findings for the selected host. We'll add controls to the policy and organize 
them into sections. 


Search 1-19 of 19 Page 1 lof1 


IP address i Network Hostname Netbios os 


10.136.196.211 


The policy will inherit the technologies discovered on the selected 
host. 


10.238.206.234 


64.41.200.231 


The policy will only contain controls (SDCs), associated with 
configuration settings, parameters and artifacts, found on the 
6441200240 selected host. 

64.41.200.244 


64.41.200.232 


The Default Values for all controls in the policy, will match the 
”actual” data points collected from the selected host. 


64.41.200.245 


64.41.200.246 


e Because cardinality is difficult to determine, controls containing a list of 
values will typically require some adjustment and tuning. 
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Controls with Cardinality 


Data Type: String List or Regex List 


= Compares a list of actual values collected from a host (X), to a list of expected values 
within the control (Y). 


CARDINALITY YOU ARE COMPLIANT WHEN 
contains X contains all of Y 


does not contain X does not contain any of Y 


matches All strings in X match all strings in Y (any order) 


is contained in All strings in X are contained in Y 


intersect Any string in X matches any strings in Y 


= X (Actual) = List of values returned by a scan or agent. 
= Y (Expected) = List of values defined by a control. 
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String List Cardinality Example 


Evidence 


List the names of running processes. 


Expected 


Y 'QualysAgent.exe' ü contains: PASS 


= ‘SecurityHealthService.exe' 
contains = does not contain: FAIL 
Actual Last updated: ` F 
does not contain 


X 'System Idle Process' matches = matches: FAIL 
AS 


'System' 


Reg; is contained in : | , 
St = is contained in: FAIL 


‘OneDrive.exe’ intersect 


‘QualysAgent.exe' <= : | 
‘SgrmBroker.exe' = intersect: PASS 


‘SkypeHost.exe' 
‘LogonUl.exe' 


‘Isass.exe' 

‘SecurityHealthService.exe' = 
‘VGAuthService.exe' 

‘vmtoolsd.exe' 
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Test & Evaluate Controls 


List the names of running processes. 


on À inn li | wireshark.exe 
does not contain | string list © M nmap.exe 


< From the Policy Editor, 
adjust a control’s 
cardinality, data type, 

Please enter the IP address you want to test this control against and click Evaluate. expected valu e, or IP 


IP Address: x] View IPs Vi . 
arm @ EN address and click the 
Control result: The expected value does match the configuration gathered from the target. : Eva | u ate ý b u tto n = 


You may change both the target and the expected value and click Evaluate again. 
e Best Practice: adjust or 
Actual 
List the names of running processes. tune the default values 


Last updated: 10/15/2020 at 07:43:57 PM (GMT-0500) 

‘System Idle Process" of controls added from 
‘System’ . 

Fa | the Control Library 
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Testing Regular Expressions 


The following List String value(s) X indicates the list of users with PBKDF2 hashed passwords set using 
password_pbkdf2 directive, configured for GRUB2 in file /boot/grub2/grub.cfg. 


matches , regular expression list | |.+ = 


Please enter the IP address you want to test this control against and click Evaluate. 


IP Address: 192.168.1.222 x| ViewIPs | ar : = 


The expected value does match the configuration gathered from the target. 
You may change both the target and the expected value and click Evaluate again. 


The following List String value(s) X indicates the list of users with PBKDF2 hashed passwords set using 
password_pbkdf2 directive, configured for GRUB2 in file /boot/grub2/grub.cfg. 


Last updated: 10/24/2019 at 15:50:07 (GMT-0500) 


root 


e Use the “Evaluate” button in the Policy Editor to test regex. 
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Reports 
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Path To Compliance 


1. Data points are defined 
within each CID in the 
@ Control Library. 
Qualys Control 2 Boni eed 
Library (CIDs) : ompliance scan colhects 


ACTUAL “data points” from 
target hosts. 


3: Qualys Policy specifies the 


& E EXPECTED values for all 


host “data points” 
Scan Results Policy 
(ACTUAL) (EXPECTED) 4. Policy Report compares 


actual to expected values, 
producing PASS/FAIL status 


Oo 5. Interactive Reports are used 


— ; to request exceptions for 
Policy Report | «— | Exceptions FAILED controls 
(PASS/FAIL) 
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Policy Compliance Reports 


Policy Compliance 


Dashboard Policies Scans Reports Exceptions Assets Users 


nili Reports Schedules Policy Summary Control View 


> View Report T Compliance Report > Authentication Report 
SCAP Report > Policy Report 


Template 


Download... Interactive Report 
Scorecard Report 
Mandate Based Report 
STIG Based Report 


e Security Configuration Assessment (SCA) provides the “Authentication” and “Policy” reports. 
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Authentication Report 


w Unix/Cisco/Checkpoint Firewall H E 
Host 


64.41.200.243 (demo13.s02.sjc01.qualys.com, -) 
64.41.200.244 (demo14.s02.sjc01.qualys.com, -) 


64.41.200.245 (demo15.s02.sjc01.qualys.com, -) 


v Windows H E 
Host 
64.41.200.246 (demo16, DEMO16) 


Host Technology Instance 


CentOS 6.x 


Oracle 
Enterprise Linux 
5.x 

Oracle 
Enterprise Linux 
TR 


Host Technology Instance 


Windows 2008 
Server 


64.41.200.247 (trn-win7.tm.qualys.com, TRN-WIN7) Windows 7 


64.41.200.249 (trn-win2012-dc.tm.qualys.com, 
TRN-WIN2012-DC) 


+ Not Attempted HE] 
Host 
64.41.200.248 (demo18.s02.sjc01.qualys.com, -) 


Windows 2012 
Server 


Host Technology Instance 


Status Cause OS 


Passed - CentOS 6.4 


Passed - Oracle 
Enterprise 
Linux 5.6 

Passed - Oracle 
Enterprise 
Linux 7.1 


Status Cause 


Passed 


Ultimate 


Windows 
Server 2012 
Standard 64 
bit Edition AD 


Last Auth 


03/06/2018 
03/06/2018 


03/06/2018 


Last Auth 
03/06/2018 


03/06/2018 


03/06/2018 


Last Auth 


Not here Windows Vista N/A 
AttemptedMare no / Windows 


ecords 2008 / 
setup Windows 7 / 


for the Windows 2012 
host {Windows 8 / 


type. Windows 10 


Last Success 


03/06/2018 
03/06/2018 


03/06/2018 


Last Success 
N/A 


03/06/2018 


03/06/2018 


Last Success 
N/A 
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Policy Report 


¥ (1.4) 1071 Status of the "Minimum Password Length' setting Status: 


Instance: os 
Evaluation Date: 10/20/2020 at 11:23:47 AM (GMT-0500) 


Among the several characteristics that make ‘user identification’ via password a secure and workable solution is setting a ‘minimum password length’ 
requirement. Each character that is added to the password length squares the difficulty of breaking the password via ‘brute force,’ which attempts 
using every combination possible within the password symbol set-space, in order to discover a user's password. While no ‘minimum length’ can be 
guaranteed secure, eight (8) is commonly considered to be the minimum for most application access, along with requiring other password security 
factors, such as increasing the size of the symbol set-space by requiring mixed-cases, along with other forms of password variability creation, 
increases the difficulty of breaking any password by brute-force attack. 


Evidence 


greater than or equal to 
14 
any of the selected values below: 


The following Integer value X indicates the current status of the Minimum Password Length (min_pass_len) setting for local accounts. 
Expected 


$ 
ë Attribute not found 


g 
Hast updated: 10/19/2020 at 10:22:04 AM (GMT-0500) 


7 


Lab 11 : Create Policy Report 


Please consult pages 34 in the lab tutorial 


supplement for details. 


PLAY 4 Tutorial begins on page 34. 9 min. 


@ Qualys. 


Policy Report Source 


Report Source* 


Select a policy to draw data from. 


Policy Compliance Lab UDC Policy 


Include: 


QAI Assets in policy ~ Select Asset Groups in policy ~ Select IPs in policy ~ Single Instance ~ Select Asset Tags 


Once a specific policy has been selected, only host assets defined within the Policy 
Scope will be included in a Policy Report. Additional filtering options include: 


All Assets in policy - Include all assets defined within the policy scope. 

Select Asset Groups in policy — Include assets from one or more specific Asset Groups. 
Select IPs in policy — Include one or more IP addresses. 

Single Instance — Include one or more technology instances 

Select Asset Tags — Include assets labeled with one or more specific Asset Tags. 
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Certified Reports 


Leave policy locked to maintain certification. 


lan Johnson Qualys Training 08/10/2017 at 14:49:00 (GMT +0100) CIS Certified: 
quays-ah20 100 Brook Drive CENTER FOR 
Manager Green Park INTERNET SECURITY 
Reading, None RG2 6UJ 
United Kingdom 


Report Summary 
Policy: CIS Benchmark for Microsoft Windows 10 Enterprise RTM (Release 1511) - Cloud Agent 
Policy Locking: Locked - CIS Certified Policy 


Template: 
Asset Groups: te a New Policy 


Asset Tags: 


== Policy from Library: Choose from one of the policies in our library. 


Give your policy a name. The policy name will appear in your policies list for quick identification. 


PC Agent IPs: n 
For Example: CIS Windows Server 2003 Benchmark v1.2 


Active Hosts: 
Controls: 


Technologies: Name your policy REQUIRED 


Total Control Insta} | CIS Benchmark for CentOS Linux 6, v2.1.0 [Scored, Level 2] v.2.0 @ 
Total Passed: = 
Total Failed: T) Import as unlocked 


Total Error: Activate this policy 
Approved Exceptié 
Pending Exceptioi 


Your policy will be available for scanning and reporting. Clear this check box to activate the policy at a later time. 


Pc | 


Scorecard Report 


Overall Compliance Em Passed 32 6% 
6% mu Failed 491 94% 
Across 2 Unique Policies Error 0 0% 


Compliance by Policy 


Wi Passed W Failed Error 


To help manage and asses your overall compliance activity and efforts, 
compare multiple policies in a Scorecard Report. 
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Distribute Scheduled Reports 


Scheduled Reports Setup 


Distribution 


You have the option to send reports as part of scheduled report notifications. Select a distribution option: 


@attachment or Link 
A report less than 5 MB will be sent as an attachment. If greater than 5 MB, a report link will be sent. 


Attachment Only 
A report less than 5 MB will be sent as an attachment. If greater than 5 MB, no report will be sent. 


Link Only 
A report link will be sent. 


Don't Send the Report 
The report will not be sent as an attachment or link. 
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Best Practices 


Schedule compliance scans and reports to run on a regular basis 
(reporting to follow scanning). 


Run additional scans after adding controls to the Control Library. 


Initially, focus on Failed controls with CRITICAL and URGENT 
severity. 


Controls that are failing pervasively, are also good mitigation targets. 


Use Qualys API to share compliance data with third party 
applications or GRC solutions. 
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Interactive Report: Requesting Exceptions 
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Exception Example 


Policy: Reduce overall attack surface by removing vulnerable 
protocols from all host assets (e.g., Telnet, FTP, TFTP, etc...) 


Exception: Some legacy network devices still rely on Telnet, FTP, 
and TFTP for configuration and administrative purposes. 


Compensation: IPSEC encryption will be implemented on network 
segments that have vulnerable protocol traffic, until legacy network 
devices are upgraded or replaced. 


Approved: An exception is granted to legacy network devices for 90 
days. At the end of this period, remaining devices will return to FAIL 
status. 
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Interactive Report 


e Use Interactive Reports to 
requesting and managing 
exceptions. 


e Control Pass/Fail Report - Allows 
the control you want to report on 


e Individual Host Compliance — 
Allows the host you want to report 
on 


e Security Configuration Assessment 
(SCA) does not provide Interactive 
Reports for requesting exceptions. 


New Compliance Interactive Report 


Select an interactive report from the list below. 


Real-time Reports 


Report Types Preview 
Control Pass/Fail 
Individual Host Compliance Ov ALYSGUARD" 


Control Pass/FaiV/Error Report 
T Qualys 
cmp ts 1800 Bedge Parkway 

Sette 201 


Redwood Samea Calba 24085 


w dad Gawane of à 


@ Qualys. 


Request Exceptions for Failed Controls 


Report Setup 


Target Layout 


Criticality: * 


Passe@ @ Failed À Error 


UNDEFINED &@ MINIMAL €2 MEDIUM 
SERIOUS CRITICAL & URGENT 


Order 


Launch Help 
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Request Exception 


Request Exception Tum help tips: On | Off Launch Help 


Details 
= Requests are typically 


assigned to the “Auditor 


Comments: * ; = account, for approval. 
Requesting 90-day exception for Training Lab hosts. 


Assign to: * Qualys Auditor (Auditor: trann3qe25 ) 


= Requests can also be 
assigned to other user 
accounts, to collect 
additional details or 
comments. 


Reopen exception on change of evidence 


This applies only if the exception i: 
f 


value that is different than the current ve a ana secre 5 stil fal oe Se err 9). sai a Comments are required. 


© Qualys. 


Lab 12 : Interactive Report 


Please consult pages 35 to 38 in the lab tutorial 


supplement for details. 


PLAY 4 Tutorial begins on page 35. o min. 
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Working with Exceptions 
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Auditor Role 


E Users Business Units Distribution Groups Activity Log 


| New w | Search | | Filters w 


Name a Login Title Role 
Qualys Auditor = trann3qe25 Compliance Auditor Auditor 
Qualys Manager * trann3zj92 student Manager 


Business Unit 
Unassigned 


Unassigned 


Although the “Manager” user role is capable of approving/rejecting exceptions, 


the “Auditor” role was designed specifically for this task. 
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Lab 13 : Working With Exception Requests 


Please consult pages 39 to 40 in the lab tutorial 


supplement for details. 


PLAY 4 Tutorial begins on page 39. 5 min. 
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Edit Exceptions 


Edit Exception: Tum help tips: On | Off Launch Help x 


e Edit an exception 


Details request to approve, 


reject or reassign. 


Action: Approved 


End Date: 03/31/2021 EJ ° Comments are 
Reassign: * Qualys Auditor (Auditor: trann3qe25 ) requ ired. 


Comments: * 


Training Lab hosts are granted an exception for 90-days e Auditors may want to 
exercise the option to 
“reopen” an approved 
nee nos en Moodie ceili KAN request, if the collected 


pa a value that is different than the current value, and the control is still failing (or evidence ever changes 
and the outcome 


| Save | remains: FAIL. 
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Passing with Exceptions 


| | Order CID Reference Control Category Posture Criticality Exception 
11 1318 1141 Status of the 'Enforce password history's Access Control Real Passed <] URGENT Approved A d 
etting rements p p rove 
0 12 3376 112 Status of the Maximum Password Age’ se Access Control Requi Failed URGENT EC Exception 
tting (expiration) rements 
0O13 1072 1.1.3 Status of the ‘Minimum Password Age' set Access Control Requi Failed Expired m= 
ting rements E x p j red 
14 1071 1.1.4 Status of the 'Minimum Password Length' Access Control Requi Failed URGENT Expired Approval 
setting rements 
15 1092 115 Status of the ‘Password Complexity Requi Access Control Requi Failed Pending 
rements' setting rements L P en d i n g 
1.6 2484 1.1.6 Status of the 'Store passwords using rever Access Control Requi Passed A cti on 
sible encryption' setting rements 
17 234 1.24 Status of the 'Account Lockout Duration's Access Control Requi Passed URGENT 
etting (invalid login attempts) rements 


Note the “E” above the “passed” Posture 
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Working with Mandates 
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Mandates 


Mandate Information 


General Information 


Title CIS Critical Security Controls (Top 5) 
Version Ver 6.1 

Published by Center for Internet Security (CIS) 
Requirements 5 


, Mandates are mapped to specific controls 
Mandate Details (CIDs), but do NOT contain default values 
that could potentially be used to perform a 


CIS Critical Security Controls (Top 5) PASS/FAIL assessment. 


v CSC #1 Inventory of Authorized and Unauthorized Devices 
¥ CA-7 CONTINUOUS MONITORING 
1061 Status of the existence of plus sign or '+' entries in the host's password-related files 
1117 Status of the 'inetd' or 'xinetd' service 


1130 Status of the 'telnet' service (Unix/Linux) 


Mandates contain a list 
of requirements which 
are mapped to specific 
Qualys CIDs. 


Mandates contain 
control number 
references, not 
functional controls 
needed to perform 
assessments. 
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Mandate Report 


New Mandate Based Report Launch Help 


Report Info 

Mandates 
Mandates > | Select mandates (maximum 3): 
Policies 


Add mandates: Search... MA Add All | Remove All 


Report Source 


CIS Critical Security Controls (Top 5) View | Remove 


New Mandate Based Report Launch Help 


Report Options 


Report Info NA 
Policies 


Mandates Select policies to evaluate data against (maximum 10): 


Ada POS: [Seah z es 


Report Source 


CIS Benchmark for CentOS Linux 6, v2.1.0 [Scored, Level 1 and Level 2] ... View | Remove 
Report Options 


Run Cancel 


Mandates must be 
paired with policies that 
contain the functional” 
controls referenced in 
each mandate. 


A Mandate Report 
combines up to three 
Mandates with up to 
ten policies to provide 
a comprehensive view 
of your overall 
compliance posture. 
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Mandate Template 


Mandate 
Control objective 


Group by”: 


Filter by policy controls (only evaluated controls will be displayed) 


= Group by Mandate or Control objective 


= Use the “Filter by policy controls” option to filter-out controls that have not been evaluated. 
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Dashboard & Posture 
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Switch to PC Dashboard 


© Qualys. Cloud Platform 


Policy Compliance v NA Help w Student Account -Qualys Training (trann3eq79)w Logout 


Dashboard Policies Scans Reports Exceptions Assets Users 


The new and enhanced Policy Compliance UI is now enabled for you! 


It's time for a fresh look at your compliance data using customizable widgets and dashboards along with powerful new features for 
in-depth analysis of your compliance posture! Switch to PC Dashboard Beta 


Default Dashboard v 


Last Updated: Wednesday, 03 Nov 2021 Your last scans View all 
Evaluated policies Evaluated hosts Evaluated controls 


4 T 927 


Top Failing Policies 
by Technology by Criticality 
R 
EX El a SS = 
Windows 10 Windows 2012 CentOS 6.x Oracle Oracle 


Server Enterprise Linux Enterprise Linux Schedule a Scan 
7.x 5.x 


Your upcoming scans view all 


No upcoming schedules. 
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Posture 


© Qualys. cioud Platform 
Policy Compliance Vv DASHBOARD POSTURE POLICIES SCANS REPORTS EXCEPTIONS ASSETS USERS & © F 
= 
Controls w| Q Search +| © = 
5 0 7 K OVERALL COMPLIANCE FAILURE BY CRITICALITY 
i Saas 2K 
Total Control Instances Compliance 
37.67% Total Passed 1.91K 1K | | | | 
Total Failed 3.16K 0 — —_, = 
3 4 2 5 1 UNDEFINED 

FAIL 3.16K 
PASS 1.91K STATUS CID CONTROL STATEMENT TECHNOLOGY/INSTANCE ASSET POLICY 

PASS 100022 Unix Directory Search Check- Centos 6.x demo20.s02.sjc01.qual | PCSBP 
CRITICALITY Oct 26, 2021 PCSBP ys.com 
3 2.2K 369981734 
4 1.88K PASS 8375 Current list of running Windows 2016 Server ws2016dfw208 Best Practice Controls for Reducing 
2 504 Oct 28, 2021 processes 296714695 Risk related to 
5 447 Malware/Ransomware v.4.0 
UNDEFINED 23 
rose FAIL 10007 Status of the ‘default behavior Windows 2016 Server ws2016dfw208 Best Practice Controls for Reducing 

Oct 28, 2021 for AutoRun' 296714695 Risk related to 
EXCEPTION STATUS Malware/Ransomware v.4.0 

FAIL 11282 Status of the 'SMB v2' protocol Windows 2016 Server ws2016dfw208 Best Practice Controls for Reducing 

Oct 28, 2021 for LanManServer services on 296714695 Risk related to 

Windows Malware/Ransomware v.4.0 
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@ Qualys. 


Dashboard 


© Qualys. cloud Platform 


Policy Compliance v 


Policy Compliance v 


= Last30Dayss v © 


OVERALL COMPLIANCE 
Total 
Count 
5.07K 
37.67% ie 
È MW Pass 


3.16K 
191K 


DASHBOARD POSTURE POLICIES 


SCANS REPORTS 


OVERALL COMPLIANCE FOR OS 


37.84% 


Total 


Count 

4.33K 

B FAL 2.69K 
@ Pass 1.64K 


EXCEPTIONS 


ASSETS USERS 


OVERALL COMPLIANCE FOR MIDDLEWARE 


59.52% 


Total 
Count 


336 
@ Pass 
B FAL 


a ON 


OC: 


Remediation & Response 
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Qualys Script Manager 


<— Create New Script 


STEPS 1/4 
Script Details 
© Script Details 
Name * 
2 Add Script 
Qualys Script Manager 
3 Assign Assets 
4 Review & Confirm Description 


Severity * 


Severity 5 


Integrations * 
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Execute Scripts on Global IT Assets 


Integrate scripts with 
Qualys Policy Compliance 


e Perl 
e Python 
e Powershell 
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Scripts for Data Collection 


© Qualys. Cloud Platform 


Script 


<— Update 9 


STEPS 2/4 


Script Details 
Add Script 
3 Assign Assets 


4 Review & Conf 


Look foi 
card nul 
SSN, a 


#Credit Card Number Regex 
$CCNpattern = '\b(?:\d[ -]*?){13,16}\b' 


#VISA Number Regex 
$viSApattern = '\b4(?:\d[ -}*?){12,15}\b' 


# MASTERCARD Number Regex 
SMASTERpattern = '\b(?:5[1-5](?:\d[ -]*?){2}|222(?:[1-9][ -]*?)|22(?:[3-9][0-9]| -]*?)|2[3-6](?:[0-9][ -]*?){2}127[01](?:[0-9][ -]*?)|2[ -]*?7[ 


-}*72[ -*20[ -]*?)(?:\d[ -}*?){12)\b' 


# American Express Number Regex 
$AEpattern = '\b3[47](?:\d[ -}*?){13}\b' 


# Diners Club Number Regex 

$DCpattern = Nb3[ -]*?(2:0[ -]*2[0-5][ -]*71[68][ -]*2[0-9][ -}*7)(?:\d[ -]*?){11}\b' 

# JCB CARD Number Regex 

$JCBpattern = ‘\b(?:2[ -}*71[ -]*23[ -]*21[ -]*2|1[ -}*28[ -}*20[ -]*20[ -]*?|3[ -}*?5[ -}*2(?:\d[ -]*?){3})(?:\d[ -}*7)(11}\b' 


#Social Security Number Regex 
$SSNpattern = '\b\d{3}([- ]?)\d{2}([- ]?)\d{4}\b' 


#Birthdate Regex 
$birth = '\b(birth|birthdate|birthday|dob|born)\W+(?:\w+\W+){0,5}?(?<REDACT>(\d{4}|\d{1,2})[V\-]\d{1,2}[V/\-](\d{4}1\d{1,2}))\b' 


WA 
71506/76500 characters remaining 
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© Qualys. cloud Platform 


Scripts for Remediation 


<— Update Script: Account Policy Remediation Level 1 NEW 


|< pe Soit Account Poley Reme 


STEPS 2/4 
Add S 
Script Details 
a ` Platform * 
Add Script 
Window | 
3 Assign Assets 
4 Review & Confirm Type * 
Powerst 
Script 
Script is 4 
Remediate #(L1) Er 
misconfigurations "Accoun 


net accc 


#(L1) En 
"Accoun 
net accc 
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ript 
#(L1) Ensure 'Account lockout duration is set to 15 or more minute(s)' 


"Account lockout duration is set to 15 or more minute(s)" 
| net accounts /lockoutduration:30 


#(L1) Ensure ‘Account lockout threshold is set to 10 or fewer invalid logon attempt(s), but not 0' 
"Account lockout threshold is set to 10 or fewer invalid logon attempt(s), but not 0" 
net accounts /lockoutthreshold:30 


#(L1) Ensure 'Enforce password history is set to 24 or more password(s)' 
"Enforce password history is set to 24 or more password(s)" 
| net accounts /UNIQUEPW:24 


| #(L1) Ensure Maximum password age is set to 60 or fewer days, but not 0' 
"Maximum password age is set to 60 or fewer days, but not 0" 
net accounts /MAXPWAGE:90 


#(L1) Ensure ‘Minimum password age is set to 1 or more day(s)’ 
"Minimum password age is set to 1 or more day(s)" 
net accounts /MINPWAGE:30 


# (L1) Ensure ‘Minimum password length is set to 14 or more character(s)' 
"Minimum password length is set to 14 or more character(s)" 
net accounts /MINPWLEN:14 


NS 
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Review and Approval 


TITLE 


Sensitive Data Discovery 


Conti Windows Remote Execution ... 


Conti Windows Remote Execution ... 


Windows Remote Execution Reme... 


Conti Remote Execution Remediati... 


Remote Execution Remediation scr... 


SCRIPTS JOBS ACTIVITY LOGS 


Scripts must be 
reviewed and approved 
before execution. 


DESCRIPTION PLATFORM 


Sensitive data discovery is th... WINDOWS 
Show More Powershell 


Conti Windows Remote Execu... WINDOWS 
Show More Powershell 


Conti Windows Remote Execu... WINDOWS 
Show More Powershell 


Windows Remote Execution R... WINDOWS 
Show More Powershell 


Conti Remote Execution Rem... WINDOWS 
Show More Powershell 


Remote Execution Remediati... WINDOWS 
Show More Powershell 
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VMDR Remediation Report 


Prioritized Assets Prioritized Vulnerabilities Remediation 


of 1.4K of 9.19K 


Vulnerabilities (24) | Patches (6) Assets (28) 


<= 


Create Remediation Job 
Add to Existing Remediation Job 
Create Alert 


Add Exception 


Status of the default Group ID (GID) setting for the root acco... 


Status of the chargen-dgram service 


Status of the ntp package 


Misconfigurations 
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Qualys Unified Compliance Solutions 
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PC 
SCA 


IT Compliance 
Technical 
Controls 


Define and monitor IT 
security standards 
aligned to regulations 


Out-of-the-box content 
to fast-track 
assessments using 
industry best practices 


IT Compliance 
Administrative 
Controls 


Automate risk 
management process 
for third parties like 
vendors, suppliers and 
contractors. 


Create campaigns 
with pre-built and 
custom templates 


PCI 


PCI DSS 
Compliance 


Automate PCI 
compliance testing, 
reporting and 
submission 


Benefit from the 
Approved Scanning 
Vendor (ASV) 
requirements that 
Qualys PCI fulfils 


File 
Integrity 
Monitoring 


Log and track file 
changes across 
global IT systems 


Out-of-the-box 
profiles to meet 
common 
compliance and 
audit 
requirements 


Qualys Unified Compliance Solutions 


CloudView 


Generate inventory 
of assets across 


public clouds 


Detect and respond 
to 
misconfigurations 
and non-standard 
deployments using 
Cloud Security 
Assessment 


OCA 


Out-of-band 
Configuration 
Assessment 


Extract 
configuration data 
from host assets. 


For disconnected or 


air-gapped 
networks. 
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OCA Architecture 


Air-Gapped Network 


Highly Secure Devices 
. Legacy Systems 
Highly locked down 
systems 


Data transfer 


Internet Connected Network 


n LB 


Management Client 


Use Qualys Out-of-Band Configuration 
Assessment (OCA), to import “air-gapped” 
asset configurations into your Policy Compliance 
subscription. 


Qualys Cloud Platform 


Tagging and Assessment 


Data Upload || 
© 
| 
J 
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OCA Policies 


Create a New Policy 


[== Policy from Library: Choose from one of the policies in our library. 


Find the policy that best suits your needs. Our Compliance Policy Library contains several sample policies based on popular compliance frameworks, 
including SOX, HIPAA, CoBIT and more. Click on one of the policies below, and then click Next to import it. 


All 

New 
Updated 
cis 
Qualys 
Vendor 


Mandate 


Technologies 


Aruba ClearPass Policy Manager 
6.x 


ArubaOS 6.x 
ArubaOS 8.x 
Brocade Fabric 7.x 


Brocade Fabric 8.x 
Cisco FTD 6.x 

[C] Cisco IOS 15.x 
Cisco ISE 2.x 
Cisco ISE 3.x 
Cisco WLC 8.x 


Comware 5 


Comware 7 


MI Ratan Namain NO E w 


Policies (34) 


Security Configuration and Compliance Policy for Brocade Fabric 7.x (OCA) 
@ version1.0 07/23/2019 View Description | View Policy 


Security Configuration and Compliance Policy for Brocade Fabric 8.x (OCA) 
@ Version 1.0 07/23/2019 View Description | View Policy 


Security Configuration and Compliance Policy for Data Domain OS 5 (OCA) 
@ Version 1.0 07/23/2019 View Description | View Policy 


Security Configuration and Compliance Policy for Riverbed SteelHead RiOS 9.x (OCA) 


À Version 2.0 11/18/2020 View Description | View Policy 


Imported OCA assets 
are added to your 
Policy Compliance 
subscription, 
automatically 

Qualys provides “out- 
of-box” policies for 
OCA assets. 
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Course Resources 


Policy Compliance Certification Exam 
https://gm1.geolearning.com/geonext/qualys/scheduledclassdetails4enroll.geo? &id=2251 1237828 


Qualys Trial Account 
https://www.qualys.com/free-trial/ 


You will find the exam link and trial account link at the back of the 
Configuration Assessment & Response Lab Tutorial Supplement. 
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Qualys. 


Continuous Security 


Thank You 


training@qualys.com 
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